Groups (in CornellAD) give you a way to assign access rights to network resources. CornellAD reference groups allow you to do this without requiring you to maintain lists of who belongs to each group. If you use reference groups to set permissions (rather than creating a group yourself), when a person changes status at the university, their permissions are updated automatically.

Reference groups are based on the University HR Organizational Tree as represented in the Workday Human Resources system. Reference groups are created automatically for most levels of tree, and are updated at the end of each business day.

All reference groups begin with the prefix rg. (including the period). The groups are named based on a department identifier from the old PeopleSoft HR system, or they are named based on a request from a group manager. See the current HR Tree showing all the reference groups. At each level, the descriptive name and reference group name are displayed.

To be listed in a reference group, a person must have a NetID and an entry in the PeopleSoft or Workday system. Every employee, student, retiree, trustee, and alum has at least one record in the PeopleSoft or Workday database, specifying their association with Cornell University, and each association translates into membership in related reference groups.

For example, if you are an employee, a student, and an alum all at the same time, you would be a member of all the appropriate reference groups. As another example, a person could have two job appointments, each in different departments. Each appointment would lead to membership in various reference groups.

Reference Groups for Employees

Reference groups for employees are divided further within each department. In addition to the general employee group, there are separate groups for staff, faculty, academic, temporary, and pre-arrival employees.

Examples

A staff member in the OIT Security Office would be in these reference groups:

• rg.cuniv.employee
• rg.cuniv.employee.staff
  • rg.president.employee
  • rg.president.employee.staff
    • rg.finaff.employee
    • rg.finaff.employee.staff
      • rg.cio.employee
      • rg.cio.employee.staff
        • rg.cio-asc.employee
        • rg.cio-asc.employee.staff
          • rg.cio-itsg.employee
          • rg.cio-itsg.employee.staff

A faculty member in the Department of Organizational Behavior in the ILR School (which falls under the Provost’s Office) would be in these reference groups:

• rg.cuniv.employee
• rg.cuniv.employee.faculty
  • rg.president.employee
  • rg.president.employee.faculty
    • rg.provost.employee
    • rg.provost.employee.faculty
      • rg.il.employee
      • rg.il.employee.faculty
        • rg.ilrob.employee
        • rg.ilrob.employee.faculty

Reference Groups for Students

Reference groups for students are divided further into the college(s) in which they are enrolled. A student who is enrolled in more than one college will be represented in all of the appropriate groups.

Examples

An undergraduate in Arts and Sciences would be in these reference groups:

• rg.cuniv.student
• rg.cuniv.student.undergrad
  • rg.as.student
  • rg.as.student.undergrad

A Vet School student who is on leave would be in these reference groups:

• rg.cuniv.student
• rg.cuniv.student.grad
• rg.cuniv.student.grad.onleave
  • rg.vm.student
  • rg.vm.student.grad
  • rg.vm.student.grad.onleave

Summary of All Top Level Reference Groups

rg.cuniv.employee – all employees including the sub-groups of staff, temporary, pre-arrival, academic, faculty. Does not include outbound employees

rg.cuniv.employee.staff – full time staff

rg.cuniv.employee.prearrival – employees who have been hired but have not yet had their first day of work

rg.cuniv.employee.academic – academic employees who are not faculty, such as library staff

rg.cuniv.employee.faculty – employees who are classified as faculty

rg.cuniv.employee.temporary  – employees who are not full time

rg.cuniv.student – includes both undergraduate and graduate students, including those on leave

rg.cuniv.student.undergrad – all current undergraduate students, including those on leave

rg.cuniv.student.undergrad.onleave – undergraduate students on leave only

rg.cuniv.student.grad – all current grad students, including those on leave

rg.cuniv.student.grad.onleave – graduate students on leave only

rg.cuniv.alum – all alumni

rg.cuniv.retirees – all retirees not including emeriti

rg.cuniv.emeritus – all emeriti

rg.cuniv.trustee – all trustees, not including trustees emeriti

rg.cuniv.trustee–emeritus – all trustees emeriti

Example

If Phil Schmertz is hired for a temporary position, which later becomes a permanent position, he would move from 

rg.cuniv.employee.prearrival (after being hired but before his first day of work)

to 

rg.cuniv.employee.temporary 

to 

rg.cuniv.employee.staff (when the position became permanent)

automatically. (He would also be a member of the related employee reference groups for all levels of the Organizational Tree into which his position falls.)

Frequently Asked Questions about Reference Groups

Are reference groups mail–enabled?

Some reference groups have been mail-enabled so they can be used in Cornell's Exchange system to share access to calendars and folders. For more information, please contact the Identity Management team. In addition, student reference groups at the university and college levels are mail-enabled. See Mail–Enabled Reference Groups for details.

Why don’t you break out students into groups based on their major/concentration?

This is certainly possible, but we haven’t yet found a use case. If you have a need for this kind of reference group, please contact the Identity Management team to begin a discussion about providing these groups.

Can a reference group be used with CUWebAuth?

Yes, any reference group in CornellAD can be used to provide authorization via CUWebAuth, and can provide better security and lower overhead since all reference groups are updated automatically as people join the staff, leave Cornell employment, or switch departments. 

For example, if an application needs to be restricted to only active employees, using a reference group would be more secure and less time consuming than manually managing an ad hoc group.

How can I see what reference groups a particular NetID is in?

Assuming you have access to CornellAD, see this page about viewing members of a group. Briefly, you'll find the user's NetID (three methods are listed below), then use the dropdown menu to select Members Of. This displays not only reference groups, but also local domain objects, legacy permits, EGAs, etc.

Three ways to find a person (so that you can show Member Of):

• From the Directory Management menu (in the dark blue title Cornell logo bar, on the right), select Search. Type the NetID in the Name field,  and click Search. Then select Member Of from the drop–down.

• If you know at least one legacy permit where the person is a member, use the hierarchy on the left to navigate to that permit. The members will be displayed on the right. Click on the person's NetID and select Member Of.

• If you know their OU, use the hierarchy on the left to navigate to that directory, for example,  CUniv, NetIDs, Staff (or whatever). Click on their NetID, then select Member Of from the drop–down.

How do I decide which reference group is best for me to use?

By thinking about what types of positions/statuses you want to have access (and which you don’t), the appropriate reference group(s) may become apparent. You can also contact the Identity Management team, and we will work with you to determine the best reference group(s) for your situation.

What about the old cu.employee and cu.student legacy permits? Can I still use them?

You should stop using those legacy permits and start using the new reference groups: rg.cuniv.employee and rg.cuniv.student. The old legacy permits were not true reflections of the data of record for the groups they were intended to represent. Rather, they were based on informal business processes and decisions that evolved over time. Reference groups are, in part, an effort to correct this situation. For example, retirees were never removed from cu.employee even when they had no active appointment at Cornell. With the new reference groups you can specify employee and/or retiree separately.

It looks like my department is in the wrong place in the HR Tree. How can that be  fixed?

You should talk to your unit’s HR representative. The data in the Workday HR system may need to be updated.

Why aren't retirees and emeriti in groups associated with their departments?

Often the departments for retirees and emeriti change sometime after a person’s retirement. For this reason, it is sometimes impossible to associate a retiree with a department.

Since the HR Tree is hierarchical, why didn’t you use a hierarchical naming scheme for the reference groups?

A hierarchical naming scheme would have made the group names too long to be accommodated by CornellAD. In one of our examples above, you would see

rg.cuniv.president.finaff.cio.cio-asc.cio-itsec.employee.staff

and that’s not even close to being an extreme case.

What happens when my department name changes or we get reorganized?

Reference group names rarely change, even when a department is reorganized or gets its name changed. It is more common for a department description to change, rather than the reference group name. If you would like to find out if the name of your reference group could be changed, please contact the Identity Management team.